Threat Overview

The Iranian threat actor Nimbus Manticore has expanded its operations to target defense, telecommunications, and aviation sectors across Western Europe. This report provides a detailed analysis of the group’s tactics, techniques, and procedures (TTPs), as well as recommendations for mitigating potential threats.

Report Summary

The threat report published by AlienVault on September 22, 2025, highlights Nimbus Manticore’s sophisticated spear-phishing techniques. The group impersonates HR recruiters to lure victims into fake career portals, using the MiniJunk backdoor and MiniBrowse stealer as their primary tools. These malware variants have evolved to employ advanced evasion techniques such as multi-stage DLL sideloading, heavy obfuscation, and code signing.

Detailed Analysis

The malware infrastructure leverages Azure App Services for resilient command and control, demonstrating the group’s focus on stealth and operational security. The report emphasizes Nimbus Manticore’s increased targeting efforts in alignment with Iranian strategic priorities.

Key Points:

• Target Sectors: Defense, telecommunications, and aviation.
• Primary Tools: MiniJunk backdoor and MiniBrowse stealer.
• Evasion Techniques: Multi-stage DLL sideloading, heavy obfuscation, code signing.
• Command and Control: Azure App Services.

The Tactics of Nimbus Manticore

The group’s tactics involve sophisticated spear-phishing campaigns that are meticulously crafted to deceive victims. By impersonating HR recruiters, they create convincing fake career portals to capture sensitive information from unsuspecting individuals within the targeted sectors.

MiniJunk and MiniBrowse are not new tools but have undergone significant enhancements to evade detection. These improvements include multi-stage DLL sideloading, which allows the malware to load malicious code in a way that is difficult for traditional security measures to detect. Heavy obfuscation techniques further complicate analysis, making it challenging for security analysts to reverse-engineer the malware.

Evasion and Operational Security

The use of Azure App Services for command and control (C2) adds an additional layer of resilience to Nimbus Manticore’s operations. By leveraging cloud services, the group can maintain persistent access to compromised systems while minimizing the risk of detection.

Operational security is a key focus for Nimbus Manticore, as evidenced by their use of advanced evasion techniques and cloud-based C2 infrastructure. This approach allows them to operate undetected for extended periods, increasing the likelihood of successful data exfiltration or other malicious activities.

Recommendations

To mitigate the risks posed by Nimbus Manticore, organizations in the targeted sectors should implement the following recommendations:

• Enhanced Email Security: Deploy advanced email filtering solutions to detect and block spear-phishing attempts.
• Employee Training: Conduct regular training sessions to educate employees about phishing techniques and the importance of verifying job offers from unknown sources.
• Endpoint Protection: Use next-generation endpoint protection platforms that can detect and respond to advanced malware threats like MiniJunk and MiniBrowse.
• Network Monitoring: Implement robust network monitoring tools to identify suspicious activity related to Azure App Services or other cloud-based C2 infrastructure.

Conclusion

The threat posed by Nimbus Manticore is significant, particularly for organizations in the defense, telecommunications, and aviation sectors. By understanding their TTPs and implementing the recommended mitigations, security analysts can better protect against these sophisticated attacks.